Mailing List Archive

Thanks heasley and Ugo for your prompt reply will implement and update really appreciate
thanks and Regards
simon
On Tuesday, November 30, 2021, 09:45:10 PM GMT+3, heasley <heas@shrubbery.net> wrote:

Tue, Nov 30, 2021 at 06:16:58PM +0000, simon ben:
> Dear All,
> I am running Rancid in production environment and backing up Cisco Routers and Switches and its working greatPlan to backup FortygateI have 2 fortgates in active/active HA in our production data center
> Can I go with the same steps as I do when I add another cisco switch or router or anything needs to be done either on rancid server side or the Fortygate sideAppreciate your kind advice.
> Since this fortygate is in Production just want to be more cautious

The device type used in your router.db be must be one of the following,
assuming you have a recent version of rancid:

# Fortinet Fortigate firewall
# Normal or FULL (with defaults) configuration
fortigate;script;rancid -t fortigate
fortigate;login;fnlogin
fortigate;timeout;90
fortigate;module;fortigate
fortigate;inloop;fortigate::inloop
fortigate;command;fortigate::GetSystem;get system status
fortigate;command;fortigate::GetConf;show
#
fortigate-full;script;rancid -t fortigate-full
fortigate-full;login;fnlogin
fortigate-full;timeout;90
fortigate-full;module;fortigate
fortigate-full;inloop;fortigate::inloop
fortigate-full;command;fortigate::GetSystem;get system status
fortigate-full;command;fortigate::GetConf;show full-configuration

the user that rancid logs-in as on the fortigate must have the permission
to run the commands above.

Dear All,
Btw appreciate and thanks for the reply from Heasley and UGO 
As I mentioned below I am trying to backup my fortigate 1000D ( sorry for the typo mistake in my earlier email as 100D) so to test before I edit the router.db and .cloginrc file i ran the below
/usr/local/rancid/bin/fnlogin -t 90 -c "get system status" 172.16.xx.xx i see and does not connect

172.16.xx.xxspawn telnet -K 172.16.xx.xxTrying 172.16.xx.xx...
Do I need to add the below commands in my .clogin.rc file like the same way i do cisco routers n switchesI do appreciate if can help me with syntax in my clogin.rc file 
Thanks and Regards
simon

On Tuesday, November 30, 2021, 09:45:10 PM GMT+3, heasley <heas@shrubbery.net> wrote:

Tue, Nov 30, 2021 at 06:16:58PM +0000, simon ben:
> Dear All,
> I am running Rancid in production environment and backing up Cisco Routers and Switches and its working greatPlan to backup FortygateI have 2 fortgates in active/active HA in our production data center
> Can I go with the same steps as I do when I add another cisco switch or router or anything needs to be done either on rancid server side or the Fortygate sideAppreciate your kind advice.
> Since this fortygate is in Production just want to be more cautious

The device type used in your router.db be must be one of the following,
assuming you have a recent version of rancid:

# Fortinet Fortigate firewall
# Normal or FULL (with defaults) configuration
fortigate;script;rancid -t fortigate
fortigate;login;fnlogin
fortigate;timeout;90
fortigate;module;fortigate
fortigate;inloop;fortigate::inloop
fortigate;command;fortigate::GetSystem;get system status
fortigate;command;fortigate::GetConf;show
#
fortigate-full;script;rancid -t fortigate-full
fortigate-full;login;fnlogin
fortigate-full;timeout;90
fortigate-full;module;fortigate
fortigate-full;inloop;fortigate::inloop
fortigate-full;command;fortigate::GetSystem;get system status
fortigate-full;command;fortigate::GetConf;show full-configuration

the user that rancid logs-in as on the fortigate must have the permission
to run the commands above.

Tue, Dec 07, 2021 at 05:34:27AM +0000, simon ben:
> Dear All,
> Btw appreciate and thanks for the reply from Heasley and UGO?
> As I mentioned below I am trying to backup my fortigate 1000D ( sorry for the typo mistake in my earlier email as 100D)?so to test before I edit the router.db and .cloginrc file i ran the below
> /usr/local/rancid/bin/fnlogin -t 90 -c "get system status" 172.16.xx.xx i see and does not connect
>
> 172.16.xx.xxspawn telnet -K 172.16.xx.xxTrying 172.16.xx.xx...

That is unrelated to rancid. Maybe it only accepts ssh or it has a packet
filter that is blocking you? For ssh to be tried first you might need to
add to your cloginrc; 'add <glob> method {ssh}'

fnlogin -m 172.16.xx.xx
will show you which cloginrc lines are matching.

> Do I need to add the below commands in my .clogin.rc file like the same way i do cisco routers n switchesI do appreciate if can help me with syntax in my clogin.rc file?

Those configuration are in the rancid.conf.base of rancid 3.10 or newer.

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@www.shrubbery.net
https://www.shrubbery.net/mailman/listinfo/rancid-discuss

On 12/7/21, 9:45 AM, "Rancid-discuss on behalf of heasley" <rancid-discuss-bounces@www.shrubbery.net on behalf of heas@shrubbery.net> wrote:

Tue, Dec 07, 2021 at 05:34:27AM +0000, simon ben:
> Dear All,
> Btw appreciate and thanks for the reply from Heasley and UGO
> As I mentioned below I am trying to backup my fortigate 1000D ( sorry for the typo mistake in my earlier email as 100D) so to test before I edit the router.db and .cloginrc file i ran the below
> /usr/local/rancid/bin/fnlogin -t 90 -c "get system status" 172.16.xx.xx i see and does not connect
>
> 172.16.xx.xxspawn telnet -K 172.16.xx.xxTrying 172.16.xx.xx...

That is unrelated to rancid. Maybe it only accepts ssh or it has a packet
filter that is blocking you? For ssh to be tried first you might need to
add to your cloginrc; 'add <glob> method {ssh}'

Correct. Fnlogin is trying telnet, which is disabled by default on FGT devices. Like heas suggests, try add method ssh in your .cloginrc.

On the FortiGate, you can check for telnet most easily from the CLI:

Example show command:

fw01a # show system global
config system global
set admin-port 8080
set admin-server-cert "fw01a"
set admin-sport 8443
set admin-telnet disable
set admintimeout 120
set alias "FortiGate-VM64"
set autorun-log-fsck enable
set gui-ipv6 enable
set hostname "fw01a"
set timezone 08
end

Note that in FortiOS, configuration defaults are not exposed with 'show' - you need to enter config mode and do 'show full-configuration' and you can grep to match:

fw01a # config sys global

fw01a (global) # show full-configuration
config system global
set admin-concurrent enable
set admin-console-timeout 0
set admin-hsts-max-age 15552000
set admin-https-pki-required disable
set admin-https-redirect enable
set admin-https-ssl-versions tlsv1-1 tlsv1-2 tlsv1-3
set admin-lockout-duration 60
set admin-lockout-threshold 3
set admin-login-max 100
set admin-maintainer enable
set admin-port 8080
set admin-restrict-local disable
set admin-scp disable
set admin-server-cert "fw01a "
set admin-sport 8443
set admin-ssh-grace-time 120
set admin-ssh-password enable
set admin-ssh-port 22
set admin-ssh-v1 disable
set admin-telnet disable
set admintimeout 120
set alias "FortiGate-VM64"
set allow-traffic-redirect enable
set anti-replay strict
set arp-max-entry 131072
set auth-cert "Fortinet_Factory"
set auth-http-port 1000
set auth-https-port 1003
set auth-keepalive disable
set auth-session-limit block-new
set auto-auth-extension-device enable
set autorun-log-fsck enable
set av-affinity "0"
set av-failopen pass
set av-failopen-session disable
set batch-cmdb enable
set block-session-timer 30
set br-fdb-max-entry 8192
set cert-chain-max 8
set cfg-save automatic
set check-protocol-header loose
set check-reset-range disable

fw01a (global) # show full-configuration | grep telnet
set admin-telnet disable

This is FortiOS v6.4.7; YMMV.

AK



_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@www.shrubbery.net
https://www.shrubbery.net/mailman/listinfo/rancid-discuss

Thanks Heasley, Ugo and Adam for your immediate response I really appreciateActually I am little confused and do apologize for the same.
Its been working fine also i used before clogin instead of fnlogin and was actually confused
Actually I also had  the below in my .cloginrc file
fortigate-full;script;rancid -t fortigate-fullfortigate-full;login;fnloginfortigate-full;timeout;90fortigate-full;module;fortigatefortigate-full;inloop;fortigate::inloopfortigate-full;command;fortigate::GetSystem;get system statusfortigate-full;command;fortigate::GetConf;show full-configuration
Once again i m sorry for the bother and also being so silly
thanks and Regards
simon





On Tuesday, December 7, 2021, 06:45:00 PM GMT+3, heasley <heas@shrubbery.net> wrote:

Tue, Dec 07, 2021 at 05:34:27AM +0000, simon ben:
>  Dear All,
> Btw appreciate and thanks for the reply from Heasley and UGO 
> As I mentioned below I am trying to backup my fortigate 1000D ( sorry for the typo mistake in my earlier email as 100D) so to test before I edit the router.db and .cloginrc file i ran the below
> /usr/local/rancid/bin/fnlogin -t 90 -c "get system status" 172.16.xx.xx i see and does not connect
>
> 172.16.xx.xxspawn telnet -K 172.16.xx.xxTrying 172.16.xx.xx...

That is unrelated to rancid.  Maybe it only accepts ssh or it has a packet
filter that is blocking you?  For ssh to be tried first you might need to
add to your cloginrc; 'add <glob> method {ssh}'

fnlogin -m 172.16.xx.xx
will show you which cloginrc lines are matching.

> Do I need to add the below commands in my .clogin.rc file like the same way i do cisco routers n switchesI do appreciate if can help me with syntax in my clogin.rc file 

Those configuration are in the rancid.conf.base of rancid 3.10 or newer.

simon ben wrote:
> Thanks Heasley, Ugo and Adam for your immediate response I
> really
> appreciate Actually I am little confused and do apologize
> for the same.
> Its been working fine also i used before clogin instead
> of fnlogin and was actually confused
> Actually I also had  the below in my .cloginrc file

First off, use fnlogin instead of clogin - the terminal
environment/pagination/etc is different in FortiOS versus
IOS, so that's why
there's a different login script.

That's the wrong stuff for .cloginrc. That goes into
$PREFIX/etc/rancid.types.{base|conf} - and should be there
by default,
depending on your rancid version.

Your .cloginrc should look somewhat like this for a FGT,
assuming the hostname
of said FGT is fw.foo.com:

add user fw.foo.com admin
add password fw.foo.com {somepassword}
{null}
add autoenable fw.foo.com 1
add method fw.foo.com ssh
add identity fw.foo.com
$env(HOME)/.ssh/id_rsa

For that add identity line, this would be useful if you
enable ssh key
authentication for the admin user on the FGT.

AK

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@www.shrubbery.net
https://www.shrubbery.net/mailman/listinfo/rancid-discuss